Unfortunately being PCI DSS compliant does not always guarantee that your data is secure. There are numerous cases in which data security breaches have had companies in the headlines for reason they wish they weren’t. During this case study report we will discuss two such breaches in detail and outline where the companies went wrong.
The first company is Heartland Payment Systems (HPS), this company hit the headlines in January of 2009 when they became victim to one of the largest data security beaches in U.S. history. Although the actual number of credit card details stolen has never been confirmed, it was said to be in the tens of millions. This was carried out over a four-month period when HPS was processing over one hundred million transactions per month. It is surprising to hear that only two weeks before this malware attack took place, HPS were audited and achieved accreditation of being PCI Compliant by their Qualified Security Assessor (QSA). (Hays, 2012).
HPS had always prided …show more content…
When this happened HPS immediately identified and rectified the issue, or so they thought. In May 2008 the malware managed to move into the payment processing network without being detected. It wasn’t until October 2008 when one of the major card brands highlighted some information that they thought was a potential issue, that HPS decided to increase the investigation by hiring three different forensics firms to analyse their IT Security. To their relief all three firms reports came back saying that the IT Security Network was free of malware. HPS believed they were malware free until their own staff members found the malware four months later.
Since this breach HPS have increased IT Security by implementing new policies, such as:
· Encrypting cardholder data from the beginning of the transaction, right to the end of the